draft: partially getting authelia to work

its started at auth.tuxcord.test

agenix/secrets.nix

@@ -21,5 +21,5 @@ in
   map (user: {
     name = "dns/tuxcord.net/${user.name}.tuxcord.net.key.age";
     value.publicKeys = [ tuxcord-ca ] ++ getSSHKeys user.name;
-  }) (builtins.filter (user: user.value.options.ddns or false) (attrsToList users))
+  }) (builtins.filter (user: user.value.ddns or false) (attrsToList users))
 )

lib/default.nix

@@ -1,21 +1,24 @@
 rec {
-  users = import ./users.nix;
+  toList = x: if builtins.isList x then x else [ x ];
 
-  adminSSHKeys = builtins.concatLists (
-    map (user: getSSHKeys user.name) (
-      builtins.filter (user: user.value.options.admin or false) (attrsToList users)
-    )
-  );
+  nameValuePair = name: value: { inherit name value; };
+
+  mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
 
   attrsToList = mapAttrsToList nameValuePair;
-  mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
-  nameValuePair = name: value: { inherit name value; };
-  toList = x: if builtins.isList x then x else [ x ];
 
   getSSHKeys =
     username:
     if (builtins.hasAttr "ssh" users.${username}) then
       toList users.${username}.ssh
     else
-      builtins.warn "user ${username} declared without ssh key" [ ];
+      builtins.warn "user ${username} declared without ssh keys" [ ];
+
+  users = import ./users.nix;
+
+  adminSSHKeys = builtins.concatLists (
+    map (user: getSSHKeys user.name) (
+      builtins.filter (user: user.value.admin or false) (attrsToList users)
+    )
+  );
 }

lib/users.nix

@@ -1,23 +1,19 @@
 {
   error = {
     ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
-    options = {
-      admin = true;
-      ddns = true;
-    };
+    admin = true;
+    ddns = true;
   };
 
   javalsai = {
     ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
-    options = {
-      admin = true;
-      ddns = true;
-    };
+    admin = true;
+    ddns = true;
   };
 
   max = {
     ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
-    options.admin = true;
+    admin = true;
   };
 
   vectorum = {

nixos/common.nix

@@ -100,21 +100,17 @@ in
     extraHosts =
       let
         subdomains = [
-          ""
-          ".git"
+          "git"
+          "auth"
         ];
+
+        inherit (config.networking) fqdn;
+        hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains;
       in
-      builtins.foldl' (
-        hosts-acc: domain-prefix:
-        let
-          host = "${domain-prefix}${config.networking.fqdn}";
-        in
-        hosts-acc
-        + ''
-          127.0.0.1 ${host}
-          ::1 ${host}
-        ''
-      ) "" subdomains;
+      lib.concatMapStrings (host: ''
+        127.0.0.1 ${host}
+        ::1 ${host}
+      '') hosts;
   };
 
   virtualisation.podman.enable = true;

nixos/hardware.nix

@@ -15,7 +15,10 @@
       "xhci_pci"
     ];
 
-    kernelModules = [ "kvm-intel" ];
+    kernelModules = [
+      "kvm-amd"
+      "kvm-intel"
+    ];
   };
 
   hardware = {

nixos/hosts/tuxcord-acmetest/default.nix

@@ -1,11 +1,14 @@
 {
-  acme = {
-    enable = true;
-    rfc2136.nameserver = "tuxcord.net";
-  };
+  imports = [
+    ./storage.nix
+  ];
 
-  dns.enable = true;
   networking.fqdn = "nix.tuxcord.net";
 
+  acme.rfc2136.nameserver = "tuxcord.net";
+  dns.enable = true;
+
+  services.getty.autologinUser = "root";
+
   time.timeZone = "Europe/Madrid";
 }

nixos/hosts/tuxcord-acmetest/storage.nix

@@ -0,0 +1,6 @@
+{
+  fileSystems."/" = {
+    device = "/dev/vda";
+    fsType = "ext4";
+  };
+}

nixos/hosts/tuxcord-ca/storage.nix

@@ -32,6 +32,7 @@
         device = "/dev/xvda2";
         fsType = "btrfs";
         options = [ "subvol=@persist" ] ++ defaultOptions;
+        neededForBoot = true;
       };
     };
 }

nixos/hosts/tuxcord-test/default.nix

@@ -1,6 +1,12 @@
 {
+  imports = [
+    ./storage.nix
+  ];
+
+  networking.fqdn = "tuxcord.test";
+
   acme.enable = false;
   dns.enable = true;
 
-  networking.fqdn = "tuxcord.test";
+  services.getty.autologinUser = "root";
 }

nixos/hosts/tuxcord-test/storage.nix

@@ -0,0 +1,6 @@
+{
+  fileSystems."/" = {
+    device = "/dev/vda";
+    fsType = "ext4";
+  };
+}

nixos/impermanence.nix

@@ -55,8 +55,6 @@
     };
   };
 
-  fileSystems."/persist".neededForBoot = true;
-
   environment.persistence."/persist" = {
     enable = true;
     hideMounts = true;

nixos/modules/authelia.nix

@@ -0,0 +1,136 @@
+{ config, ... }:
+let
+  inherit (config.networking) fqdn;
+
+  acmeEnabled = config.acme.enable;
+in
+{
+  services.authelia.instances.main = {
+    enable = true;
+
+    secrets = {
+      jwtSecretFile = builtins.toFile "authelia-jwtSecret" "QWERTYUIOPASDFGHJKLZXCVBNM1234567890abcdefABCDEFGH";
+      storageEncryptionKeyFile = builtins.toFile "authelia-storageEncryptionKeyFile" "supersecretkeyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+      sessionSecretFile = builtins.toFile "aauthelia-sessionSecretFile" "supersecretkey";
+    };
+
+    settings = {
+      theme = "dark";
+      default_redirection_url = "https://${fqdn}"; # HAS to be httpS
+
+      server.address = "127.0.0.1:3001";
+
+      log = {
+        level = "debug";
+        format = "text";
+      };
+
+      authentication_backend = {
+        file = {
+          path = "/var/lib/authelia-main/users_database.yml";
+        };
+      };
+
+      access_control = {
+        default_policy = "deny";
+        rules = [
+          {
+            domain = [ "auth.${fqdn}" ];
+            policy = "bypass";
+          }
+          {
+            domain = [ "*.${fqdn}" ];
+            policy = "one_factor";
+          }
+        ];
+      };
+
+      session = {
+        name = "authelia_session";
+        expiration = "12h";
+        inactivity = "45m";
+        remember_me = "1M";
+        domain = "${fqdn}";
+        redis.host = "/run/redis-authelia-main/redis.sock";
+      };
+
+      regulation = {
+        max_retries = 3;
+        find_time = "5m";
+        ban_time = "15m";
+      };
+
+      storage = {
+        local = {
+          path = "/var/lib/authelia-main/db.sqlite3";
+        };
+      };
+
+      notifier = {
+        disable_startup_check = false;
+        filesystem = {
+          filename = "/var/lib/authelia-main/notification.txt";
+        };
+      };
+    };
+  };
+
+  services.redis.servers.authelia-main = {
+    enable = true;
+    user = "authelia-main";
+    port = 0;
+    unixSocket = "/run/redis-authelia-main/redis.sock";
+    unixSocketPerm = 600;
+  };
+
+  # services.openldap = {
+  #   enable = true;
+
+  #   # enable plain connections only
+  #   urlList = [ "ldap:///" ];
+
+  #   settings = {
+  #     attrs = {
+  #       olcLogLevel = "conns config";
+  #     };
+
+  #     children = {
+  #       # "cn=schema".includes = [
+  #       #   "${pkgs.openldap}/etc/schema/core.ldif"
+  #       #   "${pkgs.openldap}/etc/schema/cosine.ldif"
+  #       #   "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+  #       # ];
+
+  #       "olcDatabase={1}mdb".attrs = {
+  #         objectClass = [
+  #           "olcDatabaseConfig"
+  #           "olcMdbConfig"
+  #         ];
+
+  #         olcDatabase = "{1}mdb";
+  #         olcDbDirectory = "/var/lib/openldap/data";
+
+  #         olcSuffix = "dc=example,dc=com";
+
+  #         # your admin account, do not use writeText on a production system
+  #         olcRootDN = "cn=admin,dc=example,dc=com";
+  #         olcRootPW.path = builtins.roFile "olcRootPW" "pass";
+
+  #         olcAccess = [
+  #           # custom access rules for userPassword attributes
+  #           ''
+  #             {0}to attrs=userPassword
+  #                           by self write
+  #                           by anonymous auth
+  #                           by * none''
+
+  #           # allow read on anything else
+  #           ''
+  #             {1}to *
+  #                           by * read''
+  #         ];
+  #       };
+  #     };
+  #   };
+  # };
+}

nixos/modules/default.nix

@@ -1,6 +1,7 @@
 {
   imports = [
     ./acme.nix
+    ./authelia.nix
     ./dns.nix
     ./fail2ban.nix
     ./gitea.nix

nixos/modules/nginx.nix

@@ -3,13 +3,20 @@ let
   inherit (config.networking) fqdn;
 
   mkVhost =
-    attrs:
+    attrs: locations:
     let
       acmeEnabled = config.acme.enable;
     in
     {
       forceSSL = acmeEnabled;
       useACMEHost = if acmeEnabled then fqdn else null;
+
+      locations = {
+        "= /robots.txt" = {
+          alias = disallowedRobotsTxt;
+        };
+      }
+      // locations;
     }
     // attrs;
 
@@ -21,6 +28,19 @@ let
       proxy_request_buffering off;
     '';
   };
+
+  mkSsi = webRoot: {
+    root = webRoot;
+
+    extraConfig = ''
+      ssi on;
+    '';
+  };
+
+  disallowedRobotsTxt = builtins.toFile "robots.txt" ''
+    User-agent: *
+    Disallow: /
+  '';
 in
 {
   services.nginx = {
@@ -32,20 +52,18 @@ in
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
 
-    virtualHosts."${fqdn}" = mkVhost {
-      default = true;
-
-      locations."/" = {
-        root = "${self.pins.website}/web-root";
-
-        extraConfig = ''
-          ssi on;
-        '';
+    virtualHosts = {
+      "${fqdn}" = mkVhost { default = true; } {
+        "/" = mkSsi "${self.pins.website}/web-root";
       };
-    };
 
-    virtualHosts."git.${fqdn}" = mkVhost {
-      locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
+      "git.${fqdn}" = mkVhost { } {
+        "/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
+      };
+
+      "auth.${fqdn}" = mkVhost { } {
+        "/" = mkProxy 3001;
+      };
     };
   };
 

nixos/openssh.nix

@@ -4,6 +4,7 @@
 
     settings = {
       ClientAliveInterval = 300;
+      X11Forwarding = true;
 
       KbdInteractiveAuthentication = false;
       PasswordAuthentication = false;

nixos/users.nix

@@ -11,35 +11,30 @@ let
     "wheel"
   ];
 
-  mkUser =
-    name: uid: options:
-    let
-      admin = options.admin or false;
-    in
-    {
-      users.users.${name} = {
-        inherit uid;
-        isNormalUser = true;
-        extraGroups = lib.optionals admin adminGroups;
-        openssh.authorizedKeys.keys = self.lib.getSSHKeys name;
-      };
-
-      systemd.slices."user-${builtins.toString uid}".sliceConfig = {
-        CPUQuota = "50%";
-        CPUWeight = "10";
-        IOAccounting = true;
-        IOWeight = "10";
-        MemoryMax = "2G";
-        MemorySwapMax = "1G";
-        TasksMax = "100";
-      };
+  mkUser = name: uid: admin: {
+    users.users.${name} = {
+      inherit uid;
+      isNormalUser = true;
+      extraGroups = lib.optionals admin adminGroups;
+      openssh.authorizedKeys.keys = self.lib.getSSHKeys name;
     };
+
+    systemd.slices."user-${builtins.toString uid}".sliceConfig = {
+      CPUQuota = "50%";
+      CPUWeight = "10";
+      IOAccounting = true;
+      IOWeight = "10";
+      MemoryMax = "2G";
+      MemorySwapMax = "1G";
+      TasksMax = "100";
+    };
+  };
 in
 lib.recursiveUpdate
   (builtins.foldl'
     (attrs: user: {
       options = lib.recursiveUpdate attrs.options (
-        mkUser user.name attrs.uid (user.value.options or { })
+        mkUser user.name attrs.uid (user.value.admin or false)
       );
       uid = attrs.uid + 1;
     })
@@ -50,8 +45,21 @@ lib.recursiveUpdate
     (lib.attrsToList users)
   ).options
   {
-    users.users.root = {
-      initialPassword = "tuxcord";
-      openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
+    users = {
+      motd = ''
+                  __                                          __                      __
+        ---------/\ \__                                      /\ \                    /\ \__
+        ---------\ \ ,_\  __  __  __  _   ___    ___   _ __  \_\ \        ___      __\ \ ,_\
+        ----------\ \ \/ /\ \/\ \/\ \/'\ /'___\ / __`\/\`'__\/'_` \      /'_ `\  /'__`\ \ \/
+        -----------\ \ \_\ \ \_\ \/>  <//\ \__//\ \L\ \ \ \//\ \L\ \  __/\ \/\ \/\  __/\ \ \_
+        ------------\ \__\\ \____//\_/\_\ \____\ \____/\ \_\\ \___,_\/\_\ \_\ \_\ \____\\ \__\
+        -------------\/__/ \/___/ \//\/_/\/____/\/___/  \/_/ \/__,_ /\/_/\/_/\/_/\/____/ \/__/
+                                                    A friendly Linux community - est. July 2023
+      '';
+
+      users.root = {
+        initialPassword = "tuxcord";
+        openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
+      };
     };
   }

npins/sources.json

@@ -8,9 +8,9 @@
       },
       "branch": "main",
       "submodules": false,
-      "revision": "a9f523c268062c0c4a8167b719be15e3e4b3ef88",
+      "revision": "b18dd7b863644debb0a843a5b21bb490bfe7d048",
       "url": null,
-      "hash": "0ql14xjz0prvy3rdx6zkbpsjxvx40ivdzrwzdgfsk07jg07aki05"
+      "hash": "18czfxaldy0zhjprdsqzxnzj3p9qlc4canwigr13iw2wisi4ww5y"
     }
   },
   "version": 5